FirstBlood-#440Anyone can register as a doctor due to weak Invite key
This issue was discovered on FirstBlood v2



On 2021-10-25, newrouge Level 3 reported:

Hey, As it was mentioned in scope that doctor registration is testing phase so i guesses it might be vulnerable state. So i figured out that anyone can register as doctor with "INVITE-KEY: test".

Steps:

  1. Go to /register.php
  2. Pick a username and put test as invitecode.
  3. You have successfully registered and can access doctor panel with username and password provided.

Thank you

newrouge

P3 Medium

Endpoint: register.php

Parameter: invitecode

Payload: test


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.